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SYSTEM : AND METHOD OF ADDRESSING EMADL A£0 ELECTRONIC 

COMMUNICATION FRAUD 

BIELD OF THE BN^NTION . 

The- present invention relates, to . email fraud detection and prevention, more :;: 
specifically to, interfering with and/or tracking certain fraudulent attacks; fbr£hennore 9 the. 
present invention relates to testing data gathering systems. 

iACKG^OUND OF THE INVENTION. 

The rapid increase in the number of users of electronic mail and the low. cost of. 

. distributing electrqtiic. messages via the Internet and other electronic communications . . 

..hel^oiks has ihade marketing and comrrmni cations with existing customers via ermail an * " : 
■:affractive..adve^sing medium. Consequently, in addition to communications that arej ;7 : - 
- watranted by 'consumers,, e-mail, is now frequently used, as the. medium for uhsoficited;.. v 

corntnunicatidii . and marketing broadcasts 6f messages .to e-mail, ajddfe'ssfcs^ commonly . . 
. knovra as "Spam".' '.'ffihislriTig", which may include e-riiail . identity ; fraud 'and brand : . -\ 
) impersonation are the newest forms of harmful Spam .attacks feat beaten the integrity of .'; ' 

/cpmpames doing business online. Fraudulent Plashing .email messages, may be / 

considered tb.be,* , for., example, messages '.that appear to. be sent. 'from a legitimate 
: doriipany's- website or .domain address, but in fact, are hot ia reality, spaahmers or .other . 

parties are. hijacking the company's brand to attract the attention of customers, often to 

•gain personal information* . . :-; = : ■ ■ . .V 

. Lately, .financial, institutions as weil as other companies that have a trusted /■ 
, relationship with their customers have .been attacked by Phishing. For the sake of ... " 
• example, and without limiting the generality of the phenomena, if a bank is attacked by - . 

Phishing, individuals may receive an e-mail which is allegedly sent by the bank, and are . . . 

persuaded into supplying private or valuable identifying personal data online under 

several pretences — for example, without limitation, — so that the bank can register them . -:* 
•to anew service, or to protect against unauthorized charge . 
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The damage to the bank, or any other company whose, identity if faked is 
significant. fMsliing .can injure valuable corporate brand equity, ruin ; customer trust, 
increase operational costs through, growing customer compiaints, and present additional 
{ risk s and problems. .. The bank or other attached company may has to publish' a general 
- warning to its customers, and sometimes even cancel or block people's accouxits. 

; -Phishing may involve, but is not limited to* for example: (1) The originators of 
''Thishing" e-mails attempt to make the e-mail distributed seem to ..be coming from a . 
• ile^tiinate source. In order to. achieve that goal, the Phishing e-mail may be disgiiised as a 
. legitimate. e-mail, arid includes elements and characteristics of a legitimate organization, 
; such as . (without limitation) logo, domiain names, brands and colors; (2) In. order for the 
Phishing to be advantageous for its originators, the originators of 'Thishing" need to 
somehow divert -.infomLation that the trusting consumers submit in. response to . the 
: ; seemingly legitimate e-mail. Such information might be diverted via for example a li^V to 
k separate web-page that requires the individual to input valuable private information, 6t . 
-Via, telephone, if ^e ; 6-mail .directs the recipient to call a' certain telephone number^' 
^(following which the recipients valuable information might be collected oyer the phpne). 
.'Such illegitimate links or contact telephone numbers may be referred to as '/illegitimate 
contact pointers". .*• '. v */v*. "v. ' " 

" The implicatiohs of the above characteristics of Phishing are that any Phishing e- 
•mails typically include. a. mixture of both legitimate and illegitimate contact pointers 
(such, as links to pi:i^t;web pages or telephone numbers). Legitimate contact pointers 
:^oiild pbint to web pages or telephone numbers that belong to legitimate e-mail senders, 
.ffle^tiinate contact pointers would point to web pages or telephone numbers that belong 
vtb.the parties committing fraud. 

SIJ]NIiyt^ INVENTION 

• In one embodiment, a system and method may respond to a fraudulent attack, such as 
a Phishing attack. The system and method may send a number of responses to party 
■committing fraud, the responses designed to mimic the responses to a Phishing attack. 
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'.;The responses may include codes or marked information designed to entrap ot detect thd : 

{party coVnrnitting fraud. . V 

I Embodiments of the present invention relate to a method and system for .reducing 

"negative consequences associated with the submitting of valuable and confidential 
-■infonraticHi by individuals to fraudulent impostors, as . well as for increasing the. 
^Ktelihood.fhat fraudulent impostors.be captured. 

. \ / ; Embodiments of the current invention include a system and method for minimizing- \ 
the impact of Phishing scams as well as facihtating the detection of the originators of the, 
'attack. , 

BJRBEF DESCIUtPTTON OF THE DRAWINGS 

...Embodiments of the invention are illustrated by way of example and not limitation in . . 
. ' the figures of the. accompanying drawings, in which like reference numerals radicate . 
; cbire^onding, analogous or similar elements, and in wtiich: . 

* : Fig.* 1 depicts a system according to one embodiment of the .invention; and 

• : Fig. 2 illustrates a multiple-access-point computer network which may be used with 
airi embodiment of .the present invention. , v - • ~.;V .!* 

-Jt ^ will/be appreciated that for simplicity' and clarity of illustration elenients shown in';" 
the.figuf es have not necessarily been drawn to scale. For exainjple, the dimensions of - 
: spme of the elements maybe exaggerated relative to other element's for clarity. ■; 

DETAILED DESOEttPTTON OF THE IfrVENTlON 

In the following description, various aspects of the present invention will be . 
..described. For purposes of explanation, specific configurations and details are set forth. 
; in order to provide , a thorough understanding of the present invention. However, it will - 
also be apparent to one skilled in the art that the present invention may' be practiced 
. without the specific details presented herein. Furthermore, well-known features may be 
: omitted or simplified in order not to obscure the present invention. Various examples are . . . 
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—given ;fhroughouf this description. These are merely descriptions of specific embodiments . 
of the invention, but the scope of the invention is not limited to the examples given. . . ; * 
* % " : The goal of a useful anti-Phishing and/or anti-fraud service may include, for example, 
ahy or all of the following: ". 

1 '. Detection of potential Phishing scams; 

•2.. Coiifiguration options to allow the definition of Phishing detection parameters; ■ ; 
v3. Alerting against" a detected scam; 

4. Option for the targeted institution (e.g., bank, financial institution,, etc.) to request: 
a. Blocking of the Phishing e-mail . before it. reaches .the recipients'.; 
.mailboxes;- . 

• l>. Alert to consumers' (e.g., accomtholders, cardholders) e-mails; 
c. M&rt to law enforcement or regulatory authorities; and/or ; . ; ' ; 
■ji Approval of the mail as^an bfecial e-mail, by. the institution :(non- . 
• Phishing); 

.5. Tobls. for .minimizing the impact of the Phishing . scam,, as well as. tools..;that 

... -facilitate detecting the Phishing originators. 
. According to one embodiment of the present iriventipn, the detection of. Phishing . 

■ scams, can .be done ,iisirig 'existing anti e-mail-spam methods which cm issue^ alerts...: 
Whenever they detect an e-mail, which contains at least X (e.g., a suitable nuinber; where 

> one may be a Suitable number) legitimate contact pointers, stich. as domains, trademarks^ . 
^service .names, .phone. numbers, etc., by a centralized service, such as . a : "Service 
/Provider," along with iUegitimate pointers. \\ VI'*:.:' ' • " 

One such anti e-mail-spam method, is called 'Sidney pots" , or "decoys". An anti e— 
/inail-sp^m company jthat works with this method may set up Numerous e-inatt. -accounts *. 
thai do not belong to real people or entities, and lists thera in public e-mail guides, .if an. 

■ ':e-mail gets to these addresses" it can be either the result of a spam of an honest mistake..If , • 
: - .the e-mail reaches several addresses iiie chances of an honest mistake are slim*. Other.: 

methods may include for example content filtering or sniffing. 

! Once a potential Phishing scam or other tmwanted data communication is identified 
some pre-processing may be performed to make sure it is indbed a suspicious e-mail or ; 
communication. 



.4 . 

BEST AVAILABLE Copy 



WO 2005/048522 



PCTAJS2004/036993 



■ \ - ; Yarioiis devices and architectures, and sets of devices may form, a system according 
: r to various embodiments of the present invention, and my effect a. method Recording to . 
"Embodiments of the present invention. Methods according to various embodiments of the 
present invention may^ for example, be executed by one or more processors or computing 

• systems (including, for example, memories, processors, software, databases, etc.), which, 
; for example, may be distributed across various sites or computing platforms; alternatively, 
sqnie methods according to embodiments may be executed by single processors or 
computing systems. The following illustration outlines a solution architecture according 
to. one. embodiment of the present invention; other suitable architectures are possible in , 
accordance with other embodiments of the invention. 

' ;Fig. 1 depicts a system according to one embodiment of the invention. A network 10 
such as the, Internet, the Internet in combination with other networks, or some other 

■ network combination of networks connects a set of entities. A . central server 20 .may 
. provide services such as monitoring Phishing or other e-mail oriented fraud, and may try- 
to counteract, interfere .with, or track such fraud, or attempt to track down the identity of 
-.the perpetrators. A set. (where set can include one element) of institutions 30,- such as 
" batiks, financial institutions, or other institutions, which may be targets of Phishing. or 

other fraud, may request services from the central server 20. . One or nipre parties. 
' committing fraud (which may be known as for example "fraudsters") . 40 may attempt to 
commit fraud via email, for example via 'TPMshing", by sending fraudulent emails to a set 

■ of users 50, for example requesting the users to contact an institution 30 using a contact , 
. point or address (e.g., an 6mail address, an Internet address, etc.) or phone number that is 

. Actually directed to the party 40 or an associate. The contact point or address may be 
. made to appear as it if belongs to a legitimate institution 30. The central server 20 may 
attempt to send fake or other information to the contact point or other address to interfere 
with or stop fraudulent activities. In one embodiment server 20 monitors for Phishing 
:' attacks; in other embodiments other entities such as institutions may inform server 20 
regarding Phishing attacks. '** 

" The contact point may be an e-mail address. Thus the data in a response may be sent 
■to the party committing fraud via email, possibly directly (e.g. by the party requesting the 
: details to be sent via the "Reply To 1 ! email option, or by a JavaScript client side code that 

:5: 
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//does so automatically, etc.) or indirectly to ihe party (e.g., file party may implement a ♦ 
web-to-mail interface, wherein the user data is eventually sent to an email address from 

- where it is later collected by the party). . 0 "• 

i . ' ; Central server 20 may. include one or more database(s) 22, a controller or processor 
' ;24, and software 26, which may include for example, an identity generator 28, or other 

suitable modules. Controller or processor 24 may execute instructions in software 26 to 
• perform. Various .functions such as those described hereto. The functionality of cehtral ■ " 

server 20 may be. implemented in other manners, such as being distributed among bfher 
. /sites, being included in. one or more institutions, etc. For example, in one embodiment a 
. bank may include the, fraud blocking or tracking capabilities as described herein- The 
.* central server 20 may have as customers institutions 30 that wish, to stop and/or entrap 
. feud committing parties, but such a customer-client .relationship is ndt needed; for : 
.exainple central server 20 may be a government or non-profit entity, part of a consortium - 

- of interested parties, br part of an institution 30. 

The central, served .20. may detect fraudulent activity (e.g., Phishing); alternatively the 
central server 20 may act after being requested by an other party which has detected " 
.feudulent activity. . Tie central server 20 may for example, provide multiple responses to . 
Vaicqnjact point created by a party 40. The central server may respqhd.multiple.tim'es to 
rnimic a group of users responding to the fraud (each response may include different* 
data), and the responses maybe timed, paced, and/or numbered to mimic the natural 
: Response of a large group of people. For example, responses may start with a flurry arid '■ 
'•thei gradually slow down, and each response may be sent at a somewhat random time 
vtfthin an overall desired pattern. The total number of responses may be in proportion to 
:;.a sizeof the attack in response to which the responses are sent. For example, the number * : 
pf responses can be X% (e.g., 0. 1%, 1%, 5%, 10%, etc.) of the number of emails or other • 
communications that constituted the Phishing or other attack, possibly based on known • 
.response rates. Each response may be for example the central server filling in or 'sending 
details to a web site or web form, possibly at the contact point. Furthermore, within each 
response, data may be entered at a speed an pace to mimic a human entering information 
.^ing a keyboard and pointing device (e.g., mouse). A response may include a set of 
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■ [details such as a set of felse personal information. Multiple sets df false personal - : 

• information can be created and for example stored in a database 22., 

'•• . : According to pne.emWdinient ofthe current invention the, central seryer.may perform 
.•:tasks.such as, for example: Dilution: For exaa^l^&fhi^^^^ilB;, at a 1 contact '.' 
: point denned by a party 40) maintained by a party 40 which tries to : cbUect data from foe . : 
. .central server (or "Service Provider") customers (e.g., institutions 30) is fiUed with foke 
records of people, thus diluting the quahty of data that foe . parties cbrnhntting fraud • 
obtain; (2) Mark & Block: For example, using responses with marked data, foe Phishing - 

• website which tries , to collect data from institution 30 'is filled, with fake records <5f 
:people; When foe central server 20 detects .foat foose."fake. peopW , 

. ' central server 20 real . website/Service or an fostitution 30 website, if may be possible to Y 
.. .identify foe source of foat atte : mpt (using the phony records) -and to block., any further ■ 
attempts, from ..that sjune source' (e.g.. IP,, location etc), this way, when foe .jiarfy . 

• ;^™ lmttin g fi au d (e.g., "fraudster") attempts to access central, servfer 20, or ihstitatirin 30. 
" ; service using real valuable, stolen data (and not foe fake one. sent to it) such usage will be 

• blocked, including good details; (3) Mark and CaptinW For^exam^e, .foe Phishmg : 
>websue which tries to collect data from foe Service Provider's 'c^om^ SMed.^ifo* ^ 
: fake records, of .people, via responses with marked data. When foe Service Provider ' 
..•detects that these '■'to. people" attempt to enter foe Service Provider's real.website^foe. ..' 
. .Service Provider can attempt to locate the party connnitting fraud. A central, server .20 or ' j 

. institution 30 can monitor, for example, an institution or central server website, for foe 
|use of marked, data.m an attempted transaction. Other, actions maybe faken. 

■ ) According to one embodiment of foe current invention dummy responses may be senf 
. to foe fraudulent fifo, (e.g., maintained by a party 40) by, for example^ the central server V 
20 as if foe responses were coming from real users who were defrauded by the sciim. Ihe , 
. fraudulent site is fed with useless records, and hence foe quahty of data that is obtained is • 

• fluted. According to one embodiment foe amount of responses can be configurable so ' " ; 
foat it would be consistent with foe estimated attack size (importantly foe estimated ' 
number of users Who may actually give away their personal :irmbrmatiohy which, can, be. '[[ 
determined by using statistical assessment). 
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; According to one embodiment in order to ayoi&.suspicion on bebai^.of; fixe, party 
. committing fraud 40, the central server 20 may s imulat e a real Kttmkn riser feeding data at 
. iin appropriately slovv, human typing pace, seemingly from multiple BP addresses with 
.intervals ibetween data siring to the other. . • : -V'vN^' v '\ 

: .. Data in a i^onSe.may include or be marked with for example data or. codes 

• identifiable, to a central server 20 or institution 30;. so that for. example. its. use can be , 

• tracked. * F\^eocm:pre, data may be marked with crjpto^a^liically encoded portions. 
Details may be marked in a manner making it (for example by using a cryptpgraphically 
}strong ^gotithms) infeasible to spot or detect, except for those jfrhp have a cryptographic 

• key ^iii.which the. marking can be deciphered and/or extracted from the data. ' " v t • " 

■ : . Aft embodiment of the system and method may be designed to reduce the quality of 
'.the data obtained by the party committing fraud during a PHshing attack, and thus 
mitigate the attack's negative consequences. By diluting the data obtained by the party ■' 
committing fraud, the stolen data obtained, by the ; "fraudster" "becomes.; less valuable, 
. .hence reducing the incentive to attack service providers who utilize the proposed system . ' 

• • - According to one embodiment a limited amount of dummy responses are submitted to 
•.the fraudulent site where the responses are marked, such that the responses can be tracked / 
vat a .later stage. .. This may be done in combination with sending un-marked responses. " 
'/This way the use of the. credentials provided as part of these responses can be monitored. 
>'^enev£r the system idetrtifies an attempt to itse such parked credentials'! it is pbssible 
: -;kQcoidhig to- one 'embodiment to block the access. to the. Service. from such location 
-"(typically an IP address where "bait information" was attempted to be. used from), and . 
'therefore prevent attempts to use real, credentials from such location.. According to a 

■ different embodiment of the current invention parties committing fraud might be located 
/based on the marked., responses. In many cases these "fraudsters" obtain information • 
during a Plashing .attack, but do not attempt to use the data for .several mbnths. Marking 

• the dummy credentials submitted to the fraudster according to the above embodiment 
. may allow a server or other party to follow the credentials for a long period of time. Jn 
•addition, in other embodiments having other uses, dummy, randomized or manufactured. 

-. . . 
'8.; ' 
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v responses, mth.randomized or fake data, may be submitted to other sites .or contact . 
; points, such as systems being tested or debugged, or for the purpose of training. 

m •' According to one embodiment of the current invention, a multiple-access-point 
. computer network may be used to simulate responses from* various points of presence via 
different network connections, such as for example Internet connection.. Parties 
committing fraud therefore are not able to simpiy "ignore" all informatioja coming from a . : 
t singlepoint of presence, and cannot detect that in fact fake credentials are fed. - 

: Following a Pftishrng attack, according to one embodiment of the current invention 
:the.^ystefn may in responding and sending false data use a multiple r access-point 
computer network which uses several levels of design, which helps to ensure that dummy 
. Responses are undetectable. Responding may be conducted using miiltiple Internet access 
-points, multiple intermediate networks, and/or multiple intemiediate Internet service 
providers. Internet accounts used to generate the dummy responses may use dynamic 
; network IP addresses, or use proxy servers and imitate behavior or users that pass via ' 
Jjfpxy when relevant using both dialup and broadband cdnnection in order to further • 
'disguise the couHter-i£easure. The dialup connections may alternate between different 
telephone exchanges in order to prevent sophisticated parties comanitting fraud from 
. packing the physical location of the source IP addresses. 

£• Fig, 2 illustrates a multiple-access-point computer network x which may be used with 
;) im embodiment of the present invention. Users, computers, or other access points 60 may . . 

.contact a party .40 which intends to. commit fraud via multiple ISPs or other service 
.■ providers 100 and 102, possibly being geographically distributed, possibly via network 

10. (Fig. 1). Alternately, central server 20 may contact party 40 via multiple ISPs or other 

service providers 100 and 1 02. 
. According to one embodiment of the invention the central server 20 may use a 
, scheduler or other system which may regulate the "response sending rate" in order to , 

eiisure that the dummy responses are monitored, and may thus simulate real responses. 

The scheduler may be important where large amounts of dummy responses are fed to the 

spoofed site in order to de-value the obtained information. As with other modules, the \. 
. scheduler can i>e implemented in the software 26. . 
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^ ! Acfordmg to anoflier.exnbodfmeat of the invention responses may be designed: to 
: resemble human behavior and appear to be sent from actual recipients, of the fraudulent er 
mail. . This can be done for example without limitation by using Robot-like, software, 
pqssftly iinplem 

" B^ch response rhay include details which are internally consistent mthin the - . 
„'J r^ohse.,. For example, according to one embodiment of the Mveition the system and : 
^method includes an identity generator", which produces phony details ".that appei to be 
. legitimate (e.g., adhering to the rules of different data elements, such as user names and 
passwords, onlinp banking credentials, credit card details, . checks etc.). The identity s ; 
. generator iriay he cord&gur details ani jules. * \ " ; 

:•. The.icientity generator may create dummy or fake identities "using a lairg6 database 
-p^rt of database 22) of names, local addresses, e-mail domains, and niqre. Such 
. vfake identities .may be part of database 22. The dummy identity may be. coherent o£ . 
\ : co^ different pieces of information do not contradict each other* and also 

•m^ match theexternal .conditions (such as for example Internet connection) ! . Thus 'm*. ' 
'^vpne bmhpdi^^ within a response mcludes a set of* Retails Mii^ste&^|hL 

to be used for the response, A phone, iiuinber Hhat ihaj^ be part • 
i of ilie details may match the address as well as the telephon^ exchange ttsed for a dial-up 
6onne6tion used to transmit the response. Iaaddition tiie e-mail address may rriafch the , ; 
:.:15P used aaid so" on. Other sets of details may be used.. In "the case of online credenitiai; : 
. : fraud, the central server 20 may randomly generate usemamesjand passwords that match. 
. #fre cikupany* s rules as well as an e-mail, address which appeals io .inatch the usemanie \ 

% • . . According to . one embodiment of the invention a system that responds fo Phishing 
' .attacks by generating random credentials and feeding them into web-formsj colild seivb - ' 

additional purposes such as testing services, debugging services as well as for the sake.of - ' : 
; demonstrating various scenarios. In such an embodiment, a website or other boniabt 

point to be demonstrated, tested, etc. can be contacted muitipie times to, for example, 
. enter data, fill in a web-form, etc. with a set of data. Each Set of clata can include, for " 
; example, a set of details, the set of details including a set of false personal information. 

The contacts or filling of data on for example the web-form can include transmitting 

- 10 . 
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mfomiation at a speed, designed to mimic a human entering data. .The timing of the 
/ . contacting can be set to resemblethatof a set of unrelated users. Each contact or 
-response may include a set of details lhat are internally consistent. 

• ;For such a method, or any of the methods described herein* a database may be 
'created, including a set of false or manufactured data which may be for example 
organized. into. identities, each felse identity including a set of data which is consistent 
vmthin the set For Example such a database may be stored in database(s)22.. 

.; Credentials generated and used as part of the service may be created us;ing a 
■ qoptogr^jhic key, such that the marking of the credentials could not .be detected without 

* • t^e.key. .Real data may be used, so that the party committing fraud will actuaUy perform 

tfae. transactions, and could more easily be tracked. 
; In other, embodiments, a system and method that creates and/oir transmits ' 
. ffi^itfactured data, as described herein, may have other uses, for example, training, 

* /testing, ^ developing, demonstrating, etc. For example, responses or other sets of 

< jpanu^Med data may be sent to one or more contact points, wherein, 

. y'-&Cdata is used to train people, such as customer support representatives, sales . ' V ' : " 

Representatives, etc., interacting with the system. Both the system or server generating 
J. ^e .da^ and the, system receiving the data • 
Asafne systeffi. An automlated or semi-automated system for dealing with large numbers bf , 
^people can be desigded^demonstrated, or tested using such a system and method. • 
.•'^R^o'rises or sqts of false or manufactured data may be. sent to demonstrate, debug* test 

lor develop a. system, which may deal with .sensitive personal information, so that real data 

* is not .revealed to the viewers. ' . : " V 

A : system, aid method that creates and/or transmits fake or manufactured data, as . 

. described herein, may for example be used against software such as "Trojan horses", or 
other software, where, for instance, malicious software installs itself on a user's system • 

:>;(e.g., a.^vofkstation, a personal computer, etc.) in stealth mode. The piece of software 
may listen to incoming and outgoing communications of the clients system via for 
example the Internet, and may monitor browser events and user inputs (e.g. keyboard. 

* logging). When such a piece of software intercepts a login activity in which the user logs 
in to a designated web site or system (or to any site), the login credentials may be 
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[/collected through the keyboard logging facility and covertly, fransmitted to a site in 
. . control of the party committing fraud. Such transmission can occur over a multiplicity of 
protocols, such as e-mail (e.g., SMTP), the Internet (e.g., HTTP/HTTPS), FTP, and 
: pikers. . In. one embodimait of , the invention a system and method may. generate and/or 
.^^trmatoit;\fcr. example in. a , set of responses or transmissions including fake, data, 
• mbrnddiig the. behavior of "Trojan horses", or other malicious softwares that may be 
" : designed to be installed on a. user's systems. As described herein, such responses may be. 
- 'sent at a pace that mimics a set of responses from a set of geographically dispersed users 

•'using different computer and communications systems, and may include. fake data. as 

...described herein. In such embodiment, title dilution or responses may. work directly. 
■ ./against the part/ s contact point, using the protocol chosen by the party, and imitating die 

rbehavior the software woidd assume. VV. 
; . k . . While certain features of the invention have been illustrated and described herein, 
. ;inany modifications, substitutions, changes, and equivalents will now occur to those of 

-ordinary skill in the art. It is, therefore, to be understood that the appended.claims are 
ymfehded to cover all suchrhbdifications and changes as fall within the spirit of the. : : : 
; 'mventioh. 
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